1. The message I received is from person possessing private key (signing).
2. The message I received is not available to Google or any other 3-rd party.
GPG is good old dumb tool that deals with crypto. I can save e-mail into text file and use it with GPG. I can even copy that text file to an offline computer if I don't want to risk exposing key.
Signal is just yet another whatsapp competitor? I don't want to publish my phone number. I don't want to trust some random application from AppStore. I don't want my correspondence to go through some untrusted servers (and I trust Google servers much more than Signal servers). Especially servers controlled by the same person who wrote an application. I have no idea how to be sure that message I got corresponds to a public key that person gave me when we met last time. How do I extract message source from Signal? What's are console tools to deal with it? How do I deal with new key issuance if person reinstalled his application?
GPG have answers for those questions. Signal does not. Basically GPG is encryption for nerds, Signal is encryption for ordinary people. It's important, but not particularly interesting for me and it's not a replacement. Especially given the fact that Whatsapp and Telegram provide E2E and they are much more widely used.
Basically GPG is good enough and we don't need nothing more than that. And that GPG critique is just manipulation of facts. When my Debian distribution will use Signal to verify packages, I'll consider using it.
1. The message I received is from person possessing private key (signing).
2. The message I received is not available to Google or any other 3-rd party.
GPG is good old dumb tool that deals with crypto. I can save e-mail into text file and use it with GPG. I can even copy that text file to an offline computer if I don't want to risk exposing key.
Signal is just yet another whatsapp competitor? I don't want to publish my phone number. I don't want to trust some random application from AppStore. I don't want my correspondence to go through some untrusted servers (and I trust Google servers much more than Signal servers). Especially servers controlled by the same person who wrote an application. I have no idea how to be sure that message I got corresponds to a public key that person gave me when we met last time. How do I extract message source from Signal? What's are console tools to deal with it? How do I deal with new key issuance if person reinstalled his application?
GPG have answers for those questions. Signal does not. Basically GPG is encryption for nerds, Signal is encryption for ordinary people. It's important, but not particularly interesting for me and it's not a replacement. Especially given the fact that Whatsapp and Telegram provide E2E and they are much more widely used.
Basically GPG is good enough and we don't need nothing more than that. And that GPG critique is just manipulation of facts. When my Debian distribution will use Signal to verify packages, I'll consider using it.